WordPress Website Builder Vulnerability Affects Nearly 1 Million Websites

A significant vulnerability has been patched in the Website Builder by SeedProd that has over 900,000 installations. This vulnerability, present in versions up to and including 6.15.21, poses a risk for unauthorized data modification on WordPress sites.

Vulnerability Details: Missing Capability Check

The vulnerability that was discovered is called a missing capability check within the ‘seedprod_lite_new_lpage’ function.

Capabilities are specific actions that users or roles are allowed to perform. A capability check is an important security feature in WordPress for managing permissions and access controls. They determine if a user has the authority to perform specific action.

It’s similar to a role check in that a role check verifies the user’s role (like administrator, editor, etc.), while a capability check verifies whether the user has specific permissions. A capability check provides a more granular control over permissions compared to a role check.

The missing capability check allows unauthenticated attackers to potentially modify the content of various pages created using the plugin, such as coming-soon or maintenance pages. The absence of this security feature exposes websites to risks of data tampering.

Unauthorized Data Modification

Unauthorized modification of data is a serious security issue. It arises from a flaw where unauthorized individuals can alter data, leading to potential exploits. Addressing this kind of vulnerability in the Website Builder plugin is highly recommended.

Severity and Impact: High-Risk Exposure

The vulnerability is rated 8.2 out of a scale of 1- 10, with a severity rating classified as ‘High’ according to the Common Vulnerability Scoring System (CVSS). The high rating indicates how serious the potential impact is.

This vulnerability is so new that there is currently no entry in the National Vulnerability Database for the assigned CVE number CVE-2024-1072.

However, Wordfence WordPress security researchers emphasized the seriousness of the Website Builder by SeedProd vulnerability:

“This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin.”

Recommendation For Website Builder Plugin Users

The publisher of the Website Builder by SeedProd has responded by releasing an updated version, 6.15.22, which addresses this vulnerability. The update includes a security nonce to mitigate the risk, and users of the plugin are strongly advised to update immediately to secure their website against attacks.

Regarding the nonce, WordPress explains what it is:

A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise.

…They help protect against several types of attacks…”

Read the announcement by Wordfence:

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 – Missing Authorization via seedprod_lite_new_lpag

Read the official SeedProd Changelog

Featured Image by Shutterstock/Nikulina Tatiana